Usually i just restart Apache within the 30 days of expiry to get a a new 90 day cert but not this time.
The new Cert will not generate and i assume its because of the ‘DST Root CA X3?
What are my options to get a new cert?
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: www.openedmb.ca
I ran this command:
It produced this output:
My web server is (include version): Apache 2.4.20
The operating system my web server runs on is (include version): Ubuntu 14.04.5 LTS
My hosting provider, if applicable, is: none
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Certbot 0.17.0
That's almost certain an incorrect assumption. Recently there was a change in intermediate signing certificate, but nothing has been changed with regard to the default chain to the root certificate.
Unless you're paying Canonical via an ESM contract, that operating system fell out of official support about a year ago
It would be a good idea to switch to a more recent operating system release in order to continue getting official security updates! (And typically the Certbot developers have also said that Certbot isn't officially supported on operating systems that are no longer supported by their distributors.)
I understand your point and I do feel the same way as you about using such outdated software.
But I can't help reading contradiction in the statements as described in your post:
But if you can pay for support, then it is being supported.
Thus, if even one person (anyone/anywhere) is paying them for extended support, then they are "officially" supporting it and the Certbot developers would have to do so also.
"Official support" is not necessarily tied to spending any money for it - their "support" is mostly free.
Here "regular support" and "extended support" are being treated unequally.
Even the Ubuntu site also blurs the definitions with:
"Maintenance updates" & "Extended Security Maintenance"
Both include the word "Maintenance" (both equal)
One contains "updates" (any change is an update; so that's implied for both)
One contains "Security" (here is the blur - does certbot provide "security"?)
One contains "Extended" (not equal - but this only implies additional time for said services for those customers that pay the extended fee)
In conclusion: I don't think anyone could explain it any better, so (in my mind) the contradiction seems to stand no matter how it is written/explained.
Unless you can clearly see that certbot does not provide any type of security service.
But I fail to enjoy that perspective (the view from the cheap seats is skewed or maybe it's the tinfoil hat).
If you pay Canonical for ESM support, you should be able to get Canonical to give you updated packages for Certbot, just as you should be able to get updated packages for anything else you rely on that Canonical had previously packaged in that distribution, depending on the scope of the ESM contract (which I'm not actually familiar with).